Python/Powershell Incident Response Class
Nowadays most of the windows-based attacks are happening around PowerShell. As an Incident Responders, you should know your way around PowerShell especially on how the attackers can leverage PowerShell in various ways within the attack lifecycle. The aim of this article is to give a glimpse of different techniques in the PowerShell arsenal which can aid responders in hunting activities. This course focus is on battling the much maligned Advanced Persistent Threat (APT). This course is up to date with the latest forensics techniques. Incident management is an often-debated, frequently misunderstood topic that can quickly befuddle even the most advanced security teams. So to clear things up, we took “lessons learned” from successes and failures over the years. And while it may not answer every question you may have about modern incident response, we hope that it sets the wheels in motion for something better than what you have today.
Class Fee: | $3,990 |
Time: | 72 hrs |
Learning Level: | Entry |
Contact Hours: | 41hr Lecture 31 hr labs |
Prerequisites: | Understanding of TCP/IP Protocols |
Credits: | 72 CPE / 3 CEU |
Method of Delivery: | Residential (face-to-face) or Hybrid |
Instructor: | TBD |
Method of Evaluation: | 95 % attendance 2. 100 % completion of Lab |
Grading: | Pass = Attendance+ labs & quizzes Fail > 95% Attendance |
This 72 hour accelerated class is taught using face to face modality or hybrid modality. Class includes 72 hours of contact studies, labs, reading assignments and final exam - passing the final exam is a requirement for graduation.
Class Materials – SU class textbook, Labs and resources CD
KU Outcomes
- Students will be able to write a script in powershell.
- Students will be able to describe how to use powershell to write various risk incident and analysis methodologies.
- Students will be able to evaluate and categorize risk using powershell incident response
- Text Materials: labs, SU Pen Testing Materials, resource CD’s and attack handouts -Machines a Dual Core 486M Ram, 1TGig drives, running MS OS, linux, and VMWare Workstation.
Did you hear about North Korea hacking Sony Pictures? Or about Stuxnet, one of the most sophisticated APT affecting nuclear plants in Iran? This exciting certification will require clearing CMSD first to be able to start learning how to dissect nation-state-sponsored attacks! You will learn techniques to dynamically instrument binaries during execution with PinTool, or how to create Immunity Debugger plugins to hook malicious APIs. You will have the chance to understand and practice how to dissect the most sophisticated APT in our era, The Equation Group and see how they are able to hide their presence within hard drives by reprogramming the firmware!
Learning Objectives -
You will learn techniques to dynamically instrument binaries during execution with PinTool, or how to create Immunity Debugger plugins to hook malicious APIs. You will have the chance to understand and practice how to dissect the most sophisticated APT in our era, The Equation Group and see how they are able to hide their presence within hard drives by reprogramming the firmware! This course is a enrichment style lab immersion concept:
This class has recently been retooled to focus on battling the much maligned Advanced Persistent Threat (APT). The class motto is "APT is in your network, start hunting". The APT focus makes it 100% relevant to not just forensic investigators, but to anyone wanting to learn to defend their network. The Material - this course is a smorgasbord of valuable skills and information for incident responders, system administrators, and forensicators alike.
This course is developed around an "as real as it gets" scenario. The scenario is about an R&D firm that makes a great discovery, only to be hacked by APT. Students are given four hosts to conduct forensic investigations to determine what happened. Questions like the initial infection vector, when the initial infection occurred, what data was lost, and the current state of the network can be answered.
When we talk about this lab it is important to understand the level of detail used to create this virtual network. Not only did the network have 100s of hosts and 1000s of users, we ensure this network was as real looking as possible. We hired a professional Red Team and trained them up to act like APT, he hired domain architects to build the domain in a professional/secure manner, and he even loaded the systems with some of the latest security tools. You will not find a lab this extensive anywhere else!
Overall: All in all this course is so relevant and so practical that there is no reason not to put this one on your wishlist. If you are serious about finding bad guys in your network, cause lets face it they are there, then this course has your name on it
Exam: Live NetWars. Following along with the labs we created a forensic version of NetWars which tests students on basic forensic artifacts, timeline, registry, file system, and memory analysis. Anyone that has participated in NetWars will agree that it is terrific learning environment and is worth the investment of time. This exam is a capture the flag pass or fail.